Technical Field
This disclosure relates generally to securing information in a cloud computing or other shared deployment environment wherein disparate parties share Information Technology (IT) resources.
Background of the Related Art
An emerging information technology (IT) delivery model is cloud computing, by which shared resources, software and information are provided over the Internet to computers and other devices on-demand. Cloud computing can significantly reduce IT costs and complexities while improving workload optimization and service delivery. Cloud compute resources are typically housed in large server farms that run networked applications, typically using a virtualized architecture wherein applications run inside virtual servers, or so-called “virtual machines” (VMs), that are mapped onto physical servers in a data center facility. The virtual machines typically run on top of a hypervisor, which is a control program that allocates physical resources to the virtual machines. The different components may run on different subdomains in different physical cages in different data centers in different parts of the world, all running on different hardware with different proxy/gateway/session management capabilities and different back-end technologies.
Multiple entities (or “tenants”) share the infrastructure. With this approach, a tenant's application instance is hosted and made available “as-a-service” from Internet-based resources that are accessible, e.g., through a conventional Web browser over HTTP. A cloud compute environment, such as IBM SmartCloud® for Social Business (formerly known as LotusLive®), presents to the user as a single unified experience; in operation, the end user logs-in once against a centralized authentication component, and then transparently signs-on (e.g., via SAML (Security Assertion Markup Language)-based authentication and authorization techniques) into different components of the service.
Multi-tenant, collaborative SaaS (Software-As-A-Service) systems such as IBM SmartCloud® for Social Business often provide a number of different interfaces for customers. These might include: proprietary protocol-based installed end-user applications, browser-based end-user applications, mobile device servers (e.g., IBM Lotus Traveler Server) within the SaaS environment, mobile device servers outside the SaaS environment and typically used for individual customers, commercial third party products used by customers to access the SaaS system and hosted by customers, and customer applications accessing the SaaS system. This large variety of “accessors” to the cloud infrastructure complicates the service provider's ability to track usage within its shared infrastructure. Indeed, even within the “known” applications provider by the SaaS provider, there may be many sub-modes of usage. For example, routine end-user access patterns might differ substantially from actions taken by those applications to synchronize or replicate data to enable off-line usage of the application. Also, bugs occurring (e.g., especially in server-based accessors) may result in unintentional denial-of-service attacks on cloud resources, thereby inhibiting or undermining legitimate utilization of cloud resources.